| Reporter | Title | Published | Views | Family All 904 |
|---|---|---|---|---|
| CVE-2026-48931 | 22 Jun 202618:59 | – | attackerkb | |
| CVE-2026-48937 | 18 Jun 202618:01 | – | attackerkb | |
| CVE-2026-48617 | 18 Jun 202616:21 | – | attackerkb | |
| CVE-2026-48935 | 26 Jun 202601:14 | – | attackerkb | |
| CVE-2026-48933 | 26 Jun 202601:14 | – | attackerkb | |
| CVE-2026-48934 | 26 Jun 202601:14 | – | attackerkb | |
| CVE-2026-48928 | 26 Jun 202601:14 | – | attackerkb | |
| CVE-2026-48930 | 26 Jun 202601:14 | – | attackerkb | |
| CVE-2026-48615 | 26 Jun 202601:14 | – | attackerkb | |
| CVE-2026-48618 | 26 Jun 202601:14 | – | attackerkb |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2023 Security Advisory ALAS2023-2026-1920.
##
include('compat.inc');
if (description)
{
script_id(327374);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/16");
script_cve_id(
"CVE-2026-6733",
"CVE-2026-6734",
"CVE-2026-9678",
"CVE-2026-9679",
"CVE-2026-9697",
"CVE-2026-11525",
"CVE-2026-11822",
"CVE-2026-11824",
"CVE-2026-12151",
"CVE-2026-48615",
"CVE-2026-48617",
"CVE-2026-48618",
"CVE-2026-48619",
"CVE-2026-48928",
"CVE-2026-48930",
"CVE-2026-48931",
"CVE-2026-48933",
"CVE-2026-48934",
"CVE-2026-48935",
"CVE-2026-48937"
);
script_name(english:"Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1920)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2023 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1920 advisory.
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax,
or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec
values are silently mapped to one of the three standard tokens:
SameSite=NoneOfYourBusiness is parsed as None, the most permissive setting.SameSite=StrictLax is parsed as
Lax, a downgrade from Strict.Affected applications are those that consume Set-Cookie headers from server
responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed
sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's
SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to
provide.
This was introduced in undici 5.15.0 when the cookies feature was added. (CVE-2026-11525)
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension
that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying
a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in
fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in
fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an
FTS5 MATCH query is executed against the malicious database. (CVE-2026-11822)
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search
extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database
with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger
an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH
query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled
with SQLITE_ENABLE_FTS5. (CVE-2026-11824)
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message
but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many
small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively
causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of
service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the
WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket
endpoint.
All releases starting at undici 6.17.0 are affected. (CVE-2026-12151)
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error
messages.
When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and
captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48615)
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path
Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under
affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js
24**, and **Node.js 26**. (CVE-2026-48617)
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls
wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected
configurations.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48618)
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could
lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48619)
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48928)
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority
rebinding due to c-string truncation in resolver bindings.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48930)
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the
client has sent the request.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48931)
A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a
multiple of 2GiB.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48933)
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48934)
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as
read-only with e.g. --allow-fs-read.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
(CVE-2026-48935)
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY`
frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
(CVE-2026-48937)
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An
attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after
a request completes. When the client dispatches the next request on that socket, it associates the
injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection
reuse. (CVE-2026-6733)
When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without
verifying that the pool's origin matches the requested origin. All requests are dispatched through the
pool connected to the first origin, regardless of the intended destination.
This causes cross-origin request routing: credentials and request data intended for origin B are sent to
origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to
HTTP.
Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make
requests to more than one origin.
This was introduced in undici 7.23.0 via #4385 and affects all versions through 8.1.0. (CVE-2026-6734)
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-
Control header uses whitespace-padded qualified private or no-cache field names such as private=
authorization or no-cache=\tauthorization. The parser preserves the surrounding whitespace, so later
comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from
cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same
cache key.
Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in
shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical
qualified private or no-cache directives. (CVE-2026-9678)
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded
sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 SS5.4 does not
specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header
(proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-
controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the
application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie,
getSetCookies) and forward the parsed cookie value into a response header.
This was introduced in undici 7.0.0 (CVE-2026-9679)
undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI
(socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's
default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.
Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is
SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-
trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and
tamper of the HTTPS exchange.
Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5
AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5
support was added. (CVE-2026-9697)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2023/ALAS2023-2026-1920.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-11525.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-11822.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-11824.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12151.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48615.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48617.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48618.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48619.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48928.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48930.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48931.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48933.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48934.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48935.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48937.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-6733.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-6734.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-9678.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-9679.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-9697.html");
script_set_attribute(attribute:"solution", value:
"Run 'dnf update nodejs24 --releasever 2023.12.20260706' or
or 'dnf update --advisory ALAS2023-2026-1920 --releasever 2023.12.20260706' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-48930");
script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-11824");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
script_set_attribute(attribute:"patch_publication_date", value:"2026/07/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-full-i18n");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-libs-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs24-npm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:v8-13.6-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2023");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm2.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "-2023")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2023", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'nodejs24-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-debuginfo-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-debuginfo-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-debugsource-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-debugsource-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-devel-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-devel-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-docs-24.18.0-1.amzn2023.0.1', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-full-i18n-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-full-i18n-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-libs-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-libs-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-libs-debuginfo-24.18.0-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-libs-debuginfo-24.18.0-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs24-npm-11.16.0-1.24.18.0.1.amzn2023.0.1', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'v8-13.6-devel-13.6.233.17-1.24.18.0.1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
{'reference':'v8-13.6-devel-13.6.233.17-1.24.18.0.1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs24 / nodejs24-debuginfo / nodejs24-debugsource / etc");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation